Transcript Presentation Infor Security

Chief Information Officers
(CIO)
Module 9
Information Security
Objectives of Module 9
To present and discuss the basic concepts and tools
for security of information, data and IT
infrastructure in the context of the E-Government
Program of Iraq
Information Security Concept
Protecting Information Resources and Systems From
•Unauthorized Use and Access
•Unauthorized Disclosure and Modification
•Damage and Destruction
Sources of Likely Threat for Information
Systems and Resources of the Government
• Insiders for fun or revenge
• Enemies of the Nation
• Faults and Malfunction
• Insiders and Outsiders for Profit
• Acts of God
Possible Impact
• System Not available
• Privacy of Data violated
• Information modified/ misused with consequential
public and private loss
• Systems /information Damaged and Destroyed
• with consequential private and public loss.
ISO 27001 Code of Practice on
Information Security Management
•Information Security Policy
•Organization of Information Security
•Asset Management
•Human Resources Security
•Physical and Environmental Security
•Communications & Operations Management
•Access Control
•Information Systems Acquisition, Development &
Maintenance
•Incident Management
•Business Continuity Management
•Compliance
Information Security Standards
ISO27001
PCI DSS
BS 25999 (Business Continuity Management System)
Other Standards
OCTAVE® (Operationally Critical Threat,
Asset, and Vulnerability Evaluations)
Suite of tools, techniques, and methods for risk-based
information security strategic assessment and planning
Identify Your Adversaries
•Internet Hacker
•Insider
•Thief
•Terrorist
•Industrial Spy
Which are likely targets
•Information Systems
•Networks and IT Infrastructure
•Servers/ Computers/ Devices
•Databases and Information Repositories
•Information Applications
• Websites
Risk Assessment
• The “Risk Equation”
• Likelihood
• Impact
Addressing Risk
• Establish Policy
• Implement Countermeasures
• Maintain Vigilance
Vulnerability Driven Analysis
•Search for known vulnerabilities
•Tabulate and estimate severity
•Determine what assets are affected
•Assign impact value
•Consider adversaries and their motivations
•Assign likelihood
•Tabulate and report
Risk Assessment and Management
The Risk Equation
Impact x Likelihood= Risk
•Universal: Applies to all types of risk
•Uniform: Enables comparison
•Objective: Track over time
Measures the level of “pain” to the
organization
Examples:
•Financial: Loss or cost to repair
•Operational: Lost time, production or delivery
•Reputation: Loss of customer or consumer confidence
• Competitive: Reduction of market advantage
•Regulatory: Legal liability
•Fiduciary: Fiduciary liability
Vulnerability Driven Analysis
1.Search for known vulnerabilities
2.Tabulate and estimate severity
3.Determine what assets are likely to be affected
4.Assign impact value
5.Consider adversaries and their motivations
6.Assign likelihood
7.Tabulate and report
Network and System Vulnerabilities
Network:
• Unnecessary pathways
• Unsecured data-streams
System:
• Unhardened systems
• Unprotected administrator logon
• Exposed management interfaces
Asset Driven Analysis
1.Inventory information assets
2.Estimate impact
3.Trace information back to technology
4.Analyze for vulnerabilities
5.Consider adversaries and their motivations
6.Assignlikelihoods
7.Tabulate and report
Security
Policy –
What Is It?
Who?
What’s
required?
What’s
prohibited?
What’s
permitted?
Information Security Roadmap
• Initiate Risk Assessment
• Prioritize Security Areas Needing Attention – Pareto
•
•
•
•
Principle
Seek Input in Developing and Implementing a Campus
Unit Security Plan
Implement Security Plan
Annually Review Security Plan
Keep Up to Date with Security News
Security Provisions for BFB IS-3
•Authentication & Authorization
•Background Checks
•Control Administrative Accounts
•Data Backup/Retention/Storage and Transit Encryption
•Disaster Recovery Plan
•Incident Response/Notification Plan
•Physical Security Controls & Media Controls
Policy Statements
Most corporate policies must be translated to concrete
statements
Major elements:
•Information Classification
•System Criticality
•Operational Context
Information Classification
• Information classification streamlines policy statement
and enforcement.
• CAVEAT: Over-classification leads to excessive cost and
added Overhead.
• CAVEAT: Some collections of unclassified data become
sensitive when aggregated.
Criticality
Criticality is a quality of operational systems.
It depends upon the importance of a network system or
application.
Criticality motivates reliability measures.
Policy
•Policy defines classification and rules for
access/exchange
• Policy defines criticality.
•Policy hierarchy defines security services and
quality of mechanisms.
Implement Countermeasures
Cost vs Risk
Level of Vigilance Vs Frequency of Attacks
Balance Security Activities
Security Plan
Consider:
• Future business needs
• Changing threat -scape
• Tolerance to residual risk
• Establish policy
• Design security infrastructure
• Develop security procedures
Execute Plan
•
•
•
Implement according to design
Operate according to procedures
Continually improve
Appraise
Appraise the plan:
• Does it meet the expected threats?
• Will it protect business interests?
• Are there flaws in the design?
• Is policy adequate or overly burdensome?
Appraise the execution:
• Is the design implemented correctly?
• Has the configuration changed?
• Do procedures cover all events?
• Are operators alert?
Disaster Management
&
Business Continuity
What is a Disaster?
Any unplanned event that requires
immediate redeployment of limited
resources
Sample Disasters
Natural Forces
• Fire
• Environmental Hazards
• Flood / Water Damage
• Extreme Weather
Technical Failure
• Power Outage
• Equipment Failure
• Network Failure
• Software Failure
Human Interference
• Criminal Act
• Human Error
• Loss of Users
• Explosions
What is a Disaster Recovery Plan?
A management document for how and when to
utilize resources needed to maintain selected
functions when disrupted by agreed upon
incidents
Other names commonly used:
•
•
•
•
•
•
Business Continuity Plan
Contingency Plans
Continuity Plans
Emergency Response Plans
Business Recovery Plans
Recovery Plans
Disaster Recovery Response
When an incident occurs, the Disaster Recovery response
activities are likely to be the following (at a high level)
Incident
Confirm
Response
Strategy
Assess
Damage
Transfer to
Alternate
Location
Execute
Required
Functions
Prepare
New Site
Restore
Primary
Site
Return to
Normal Operations
Generate
Change
Requests
Assess DRP
Effectiveness
Transfer &
Execute at
New Site
Transfer &
Execute at
Primary Site
What is the magnitude of an incident?
•
•
•
•
•
•
•
Regional Area
Local Area
Within 3 Blocks
To The Building
Within 3 Floors
On The Floor
Within The Room
Depending upon the magnitude of an incident, possible
alternative sites include:
•
•
•
•
Within The Room
Within the Building
Within the Region
Outside the Region
Types of Strategies
Avoidance Strategy
•
•
•
•
Redundant configuration
to avoid incidents
Site harden facilities to
resist incidents
Redundant utilities and
hardware
Automated
operation
recovery plan
Mitigation Strategy
•
•
Early warning detection
Contractual agreements
with vendors
Mirrored
data
and
documents
Detailed
migration
recovery plan
•
•
Recovery Strategy
•
•
•
•
Types of Strategy Options
•
•
•
•
•
Hot site
Cold site
Self Backup
Service Bureau
Reciprocal Agreement
High level recovery plan
Off-site data storage
Very responsive vendor
relationships
Very
knowledgeable
employees
What is a Critical Business Function?
A specific entity management has decided is so significant to the
business mission, that without it, the organization cannot
successfully operate after an identified time period
Types of Impact
Financial Loss
• Lost Revenue
• Lost Sales
• Lost Market Share
• Lost Opportunity
Human Interference
• Management Control
• Employee Relations
• Stockholder Relations
• Public Image
• Legal Exposure
• Contractual Liability
• Competitive Advantage
Extra Expense
• Labor Cost
—Recreate Lost
Business
—Recreate Lost Data
—Use Manual Process
• Equipment Cost
—Hardware / software
—Telephones
• Money Cost
—Delayed Receivable
—Delayed Orders
—New Interest
—New Investments
Criteria for a Critical Business Function
Cost of Control vs. Impact
Cost of
Impact $
Impact
Cost of
Control $
Timing Requirements
• Minutes
• Hours
• Days
• Weeks
• Quarters
• Special Situations
Interdependencies
• Inputs and Outputs
Cost
Disaster Recovery Approach
Planning
Scoping &
Risk
Assessment
Implementation
Recovery
Strategy
Development
Disaster
Recovery
Plan
Training
&
Testing
Approval
Planning
The primary objective for the Planning Phase is to gain management
consensus on the focus areas and scope of a Disaster Recovery Plan
that will address major business risks
Implementation
The primary objective for the Implementation Phase is to develop,
test, and rollout a Disaster Recovery plan. The implementation phase
could be longer or shorter, depending upon scope, approach, and
staffing defined during the Scoping and Risk Assessment phase
DR Team Organization
An Example of Disaster Recovery Team
DRP Management
Team
Disaster Recovery
Director
Administrative
Support
Customer
Liaison
Production
Application
Disaster
Recovery
Coordinator
System Software
and Database
Administration
Security
Computer
Operation and
Off-site Storage
Services
Application
Support
Network
Delivery
Delivery
Site Restoration
Example: Disaster Recovery Services
Education Classes
Creating a base of common knowledge for the
business continuity/disaster recovery planning
industry through education, assistance, and the
promotion of international standards
On-Site Recovery Facilities
Manage the mobilization of an on-call response
team, prepare pre-designated site, erect temporary
pre-engineered structures, install mechanical and
electrical systems and coordinate move-in activities